The OpenSSL Heartbleed disaster definitely opened up many people’s eyes to how underfunded and understaffed many of the open source projects the web relies on are. To prevent the next Heartbleed, Facebook, Google, Intel, Microsoft, NetApp, Qualcomm, VMware and The Linux Foundation today announced the “Core Infrastructure Initiative.” This initiative will fund and support important open source projects “that are in need of assistance.”
While it’s not clear how much money each of the participants is contributing, the Linux Foundation — which organized this program — says this is a “multi-million dollar project” and should be seen as the industry’s collective response to the Heartbleed crisis. The Linux Foundation will administer the initiative’s funds.
Unsurprisingly, the OpenSSL project will be the first to receive fellowship funding from the initiative. The idea behind the fellowships is to allow key developers to work on these projects full-time. Besides the funding, the projects that will receive support from the initiative will also get other forms of assistance to improve their security, including outside reviews, security audits, computing and test infrastructure, travel and other support.
Considering the importance of a project like OpenSSL, it is indeed somewhat shameful that it only received about $2,000 per year in donations. Money alone, of course, may not have been enough to help catch the Heartbleed bug, so it’s good to see that the participating companies are also dedicating test resources to this project.
“Just as The Linux Foundation has funded Linus Torvalds to be able to focus 100% on Linux development, we will now be able to support additional developers and maintainers to work full-time supporting other essential open source projects,” said Jim Zemline, the executive director of the Linux Foundation in a statement today.
The idea behind open source, of course, is to get as many people as possible to produce high-quality code that is also secure. Many of the projects we rely on day in and day out, however, have grown so complex that having only a few part-time developers working on them isn’t enough to ensure their quality and security. The Linux Foundation acknowledges as much today.
“The most recent Coverity Open Scan study of software quality has shown that open source code quality surpasses proprietary code quality. But as all software has grown in complexity – with interoperability between highly complex systems now the standard – the needs for developer support has grown.”
Looking ahead, the Core Infrastructure Initiative plans to move away from what is clearly a reactive post-crisis mode to a more proactive mode. Going forward, the initiative will focus more strongly on proactive reviews that identify the need of the most important projects — hopefully before the next Heartbleed crisis hits.